The OAuth protocol enables websites or applications (Consumers) to access Protected Resources from a web service (Service Provider) via an API, without requiring Users to disclose their Service Provider credentials to the Consumers. More generally, OAuth creates a freely-implementable and generic methodology for API authentication.

Warning: This is not maintained anymore, please use django-oauth-plus if you want to be up-to-date.

Authenticating with OAuth

OAuth authentication is the process in which Users grant access to their Protected Resources without sharing their credentials with the Consumer. OAuth uses Tokens generated by the Service Provider instead of the User's credentials in Protected Resources requests. The process uses two Token types:

- Request Token: Used by the Consumer to ask the User to authorize access to the Protected Resources. The User-authorized Request Token is exchanged for an Access Token, MUST only be used once, and MUST NOT be used for any other purpose. It is RECOMMENDED that Request Tokens have a limited lifetime.

- Access Token: Used by the Consumer to access the Protected Resources on behalf of the User. Access Tokens MAY limit access to certain Protected Resources, and MAY have a limited lifetime. Service Providers SHOULD allow Users to revoke Access Tokens. Only the Access Token SHALL be used to access the Protect Resources.

OAuth Authentication is done in three steps:

- The Consumer obtains an unauthorized Request Token.- The User authorizes the Request Token.- The Consumer exchanges the Request Token for an Access Token.

See the OAuth Authentication Flow if you need visual details.

Django installation

There are a few steps for setting up a proper installation. The OAuth Python library is required and must be patched (at least for the moment).

You can find a custom version of the module at the root level of django-oauth.

You need to specify the OAuth provider application in your settings and to sync your database thanks to the syncdb command. Then add it to your URLs:

Note: The oauth prefix is not required, you can specify whatever you want.

As a provider, you probably need to customize the view you display to the user in order to allow access. The OAUTH_AUTHORIZE_VIEW setting allow you to specify this view, for instance:

# settings.pyOAUTH_AUTHORIZE_VIEW = 'myapp.views.oauth_authorize'

Note: See example below with a custom callback view (optional), which depends on OAUTH_CALLBACK_VIEW setting.

Note: This implementation set an oauth flag in session which certify that the validation had been done by the current user. Otherwise, the external service can directly POST the validation argument and validate the token without any action from the user if he is already logged in. Do not delete it in your own view.

There is another setting dedicated to OAuth OAUTH_REALM_KEY_NAME, which allows you to specify a realm which will be used in headers:

Note: You can customize the length of your key/secret attributes with constants KEY_SIZE, SECRET_SIZE and CONSUMER_KEY_SIZE defined in consts.py. Default is set to 16 characters for KEY_SIZE and SECRET_SIZE and 256 characters for CONSUMER_KEY_SIZE.

A complete example is available in oauth_examples/provider/ folder, you can run tests from this example with this command: